[Bug 258960] mounting a corrupt FAT32 disk can consume all memory

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=258960

            Bug ID: 258960
           Summary: mounting a corrupt FAT32 disk can consume all memory
           Product: Base System
           Version: 13.0-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu
 Attachment #228476 text/plain
         mime type:

Created attachment 228476
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=228476&action=edit
Program to generate a FAT32 image that causes mount_msdosfs to allocate huge
amounts of memory.

I've attached a program that generates a FAT32 disk image that, when
mounted, causes the kernel's msdosfs_mount() to try to allocate 1000
GB of memory. On my machine this ends up killing every process due to
lack of swap. I don't think the mount process itself can be killed, so
it's a fairly fatal condition. The cause is some parameters in the
FAT32 image that have outrageous values, for example the "total
logical sectors" at BPB offset 0x020 is 120 million, much larger than
the actual disk image. msdosfs_mount() allocates an amount of memory
derived from pmp->maxcluster, which is the product of some of these
huge values:

    pmp->pm_inusemap = malloc(howmany(pmp->pm_maxcluster + 1, N_INUSEBITS)
                  * sizeof(*pmp->pm_inusemap),
                  M_MSDOSFSFAT, M_WAITOK);

Here's how to produce and mount an image that causes this problem,
using the attached fat323.c program:

% cc fat323.c
% ./a.out
% sudo mdconfig -f fat323.img
% sudo mount_msdosfs /dev/md0 /mnt

My machine runs FreeBSD xxx 13.0-RELEASE-p4 FreeBSD 13.0-RELEASE-p4 #0: Tue Aug
24 07:33:27 UTC 2021    
root@amd64-builder.daemonology.net:/usr/obj/usr/src/amd64.amd64/sys/GENERIC 
amd64

-- 
You are receiving this mail because:
You are the assignee for the bug.